Identifier

CVE-2020-9487

Package Slug

maven/org.apache.nifi/nifi

Vulnerability

Missing Authentication for Critical Function

Description

In Apache NiFi, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Affected Versions

All versions starting from 1.0.0 up to 1.11.4

Solution

Upgrade to version 1.12.0 or above.

Last Modified

2020-10-06

source